Apache Log and _geoip_lookup_failure error

ssppune · January 9, 2018, 10:14am

I am using Apache behind HAProxy. The sample log file is as follows

194.1.143.146, 10.80.4.30 - - [13/Dec/2017:15:08:12 +0530] "GET /Portal/themes/js/language/showjs.js HTTP/1.1" 200 7106 "https://myserver.com/search/?searchElement=soccer&language=en" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0"

The first IP is Client IP and second IP is HAproxy IP. I have noticed that because of presence of comma charater after ClientIP,
the error _geoip_lookup_failure is appearing. The X-Forwarded-For option in HAProxy provides comma separated IP addresses to Apache Log file. I want to filter this (,) character before index creation.
How can I filter this Comma charter so that geoip can get value after index creation?

Christian_Dahlqvist · January 9, 2018, 10:53am

What does your current Logstash configuration look like?

ssppune · January 9, 2018, 11:29am

Here is content of "/usr/share/logstash/logstash.conf
" file

input {
beats {
port => 5443
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
filter {
grok {
match => {
"message" => "%{COMBINEDAPACHELOG}"
}
}
geoip {
source => "clientip"
target => "geoip"
database => "/etc/logstash/GeoLite2-City.mmdb"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
add_tag => "geo_point"
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
}
}
output {
elasticsearch { hosts => ["localhost:9200"]
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
stdout { codec => rubydebug }
}

and apache-filter.conf is as follows

filter {
grok {
match => {
"message" => "%{COMBINEDAPACHELOG}"
}
}
geoip {
source => "clientip"
target => "geoip"
database => "/etc/logstash/GeoLite2-City.mmdb"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
add_tag => "geo_point"
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
}
}

Please note when I manually remove Comma(,) charater between two IPs, it works properly.

system · February 6, 2018, 11:29am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
_geoip_lookup_failure Logstash	3	133	July 3, 2024
Problems with geoip configuration Logstash	36	17834	July 6, 2017
_geoip_lookup_failure in Logstash pipeline using GeoLite2-City.mmdb Logstash	5	302	June 16, 2023
Why my geoip lookup is failing? Logstash	3	599	May 3, 2023
If IP results in _geoip_lookup_failure is it possible to fill geoip-related vields with a custom value? Logstash	4	252	May 1, 2023

Apache Log and _geoip_lookup_failure error

I am using Apache behind HAProxy. The sample log file is as follows

Here is content of "/usr/share/logstash/logstash.conf " file

Related Topics

Here is content of "/usr/share/logstash/logstash.conf
" file